Julian Anastasov <j...@ssi.bg> wrote: > But the following packet is different from your > initial posting. Why client connects directly to the real server? > Is it allowed to have two conntracks with equal reply tuple > 192.168.99.4:8080 -> 192.168.99.6:15280 and should we support > such kind of setups?
I don't even see how it would work, if you allow C1 -> S C2 -> S ... in conntrack and you receive packet from S, does that need to go to C1 or C2? Such duplicate CT entries are free'd (refused) at nf_confirm ( conntrack table insertion) time.
